psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
881b2bf2bcd7b1053d66f58e0fb522118a672f19
ISMS/03-procedures/supplier-onboarding-and-review-procedure.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.9 KiB
Raw Blame History

Title: Supplier Onboarding and Review Procedure Document ID: [PROC-SUPPLIER-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CISO (Paul Jenkins) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Supplier Onboarding and Review Procedure

Purpose

This procedure defines how BlackDice should assess, onboard, record, and review suppliers relevant to the ISMS scope.

Scope

This procedure applies to suppliers providing technology, hosting, support, development, data processing, operational, or other services that may affect security, resilience, or compliance.

Trigger / When Used

Use this procedure when:

  • a new supplier is proposed
  • a supplier's role or service scope materially changes
  • periodic supplier review is due
  • a supplier incident or assurance concern triggers reassessment

Procedure Steps

  1. Record the proposed supplier, service description, owner, and business rationale.
  2. Determine the supplier's risk tier based on access, information handled, service criticality, deployment model, and dependency importance.
  3. Perform due diligence appropriate to the risk tier, including security, privacy, resilience, contractual, and shared-responsibility considerations.
  4. Review the due diligence outcome and identify any required contractual controls, remediation actions, or risk acceptance decisions.
  5. Obtain approval to onboard or continue using the supplier where required.
  6. Record the supplier in the approved register with ownership, status, review cadence, and assurance references.
  7. Perform periodic review and reassessment based on risk, incidents, material changes, or expired assurance evidence.
  8. Track remediation actions, exceptions, and reassessment outcomes to closure.

Inputs

  • supplier proposal
  • due diligence responses or evidence
  • service and dependency information
  • legal or contractual review input where applicable

Outputs / Records

  • supplier review record
  • onboarding or continuation decision
  • supplier register entry
  • remediation, exception, or risk records where applicable

Roles and Responsibilities

  • Supplier owners must initiate and coordinate the review.
  • [Role] must oversee supplier security due diligence and review expectations.
  • Relevant stakeholders must support assessment and approval where applicable.

Escalation / Exceptions

Escalate where:

  • a supplier is business-critical or handles sensitive information
  • assurance evidence is incomplete or materially outdated
  • contractual controls cannot be agreed
  • a supplier incident changes the risk profile materially

Exceptions must be documented and approved appropriately.

Related Documents

  • Supplier Security Policy
  • Supplier Due Diligence Standard
  • Risk Assessment Procedure
  • Supplier Register Template

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink